1 files changed, 22 insertions, 2 deletions
diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc
index ff5f34e3a3..5755d28104 100644
--- a/meta/conf/distro/include/security_flags.inc
+++ b/meta/conf/distro/include/security_flags.inc
@@ -9,8 +9,11 @@
 # -O0 which then results in a compiler warning.
 lcl_maybe_fortify = "${@base_conditional('DEBUG_BUILD','1','','-D_FORTIFY_SOURCE=2',d)}"
-SECURITY_CFLAGS ?= "-fstack-protector-strong -pie -fpie ${lcl_maybe_fortify}"
+# Error on use of format strings that represent possible security problems
-SECURITY_NO_PIE_CFLAGS ?= "-fstack-protector-strong ${lcl_maybe_fortify}"
+SECURITY_STRINGFORMAT ?= "-Wformat -Wformat-security -Werror=format-security"
+SECURITY_CFLAGS ?= "-fstack-protector-strong -pie -fpie ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}"
+SECURITY_NO_PIE_CFLAGS ?= "-fstack-protector-strong ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}"
 SECURITY_LDFLAGS ?= "-fstack-protector-strong -Wl,-z,relro,-z,now"
 SECURITY_X_LDFLAGS ?= "-fstack-protector-strong -Wl,-z,relro"
@@ -92,6 +95,23 @@ SECURITY_CFLAGS_pn-zlib = "${SECURITY_NO_PIE_CFLAGS}"
 SECURITY_CFLAGS_pn-ltp = "${SECURITY_NO_PIE_CFLAGS}"
 SECURITY_CFLAGS_pn-pulseaudio = "${SECURITY_NO_PIE_CFLAGS}"
+# Recipes which fail to compile when elevating -Wformat-security to an error
+SECURITY_STRINGFORMAT_pn-busybox = ""
+SECURITY_STRINGFORMAT_pn-console-tools = ""
+SECURITY_STRINGFORMAT_pn-cmake = ""
+SECURITY_STRINGFORMAT_pn-expect = ""
+SECURITY_STRINGFORMAT_pn-gcc = ""
+SECURITY_STRINGFORMAT_pn-gettext = ""
+SECURITY_STRINGFORMAT_pn-kexec-tools = ""
+SECURITY_STRINGFORMAT_pn-leafpad = ""
+SECURITY_STRINGFORMAT_pn-libuser = ""
+SECURITY_STRINGFORMAT_pn-ltp = ""
+SECURITY_STRINGFORMAT_pn-makedevs = ""
+SECURITY_STRINGFORMAT_pn-oh-puzzles = ""
+SECURITY_STRINGFORMAT_pn-stat = ""
+SECURITY_STRINGFORMAT_pn-unzip = ""
+SECURITY_STRINGFORMAT_pn-zip = ""
 TARGET_CFLAGS_append_class-target = " ${SECURITY_CFLAGS}"
 TARGET_LDFLAGS_append_class-target = " ${SECURITY_LDFLAGS}"

diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc index ff5f34e3a3..5755d28104 100644 --- a/meta/conf/distro/include/security_flags.inc +++ b/meta/conf/distro/include/security_flags.inc
@@ -9,8 +9,11 @@
9	# -O0 which then results in a compiler warning.	9	# -O0 which then results in a compiler warning.
10	lcl_maybe_fortify = "${@base_conditional('DEBUG_BUILD','1','','-D_FORTIFY_SOURCE=2',d)}"	10	lcl_maybe_fortify = "${@base_conditional('DEBUG_BUILD','1','','-D_FORTIFY_SOURCE=2',d)}"
11		11
12	SECURITY_CFLAGS ?= "-fstack-protector-strong -pie -fpie ${lcl_maybe_fortify}"	12	# Error on use of format strings that represent possible security problems
13	SECURITY_NO_PIE_CFLAGS ?= "-fstack-protector-strong ${lcl_maybe_fortify}"	13	SECURITY_STRINGFORMAT ?= "-Wformat -Wformat-security -Werror=format-security"
		14
		15	SECURITY_CFLAGS ?= "-fstack-protector-strong -pie -fpie ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}"
		16	SECURITY_NO_PIE_CFLAGS ?= "-fstack-protector-strong ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}"
14		17
15	SECURITY_LDFLAGS ?= "-fstack-protector-strong -Wl,-z,relro,-z,now"	18	SECURITY_LDFLAGS ?= "-fstack-protector-strong -Wl,-z,relro,-z,now"
16	SECURITY_X_LDFLAGS ?= "-fstack-protector-strong -Wl,-z,relro"	19	SECURITY_X_LDFLAGS ?= "-fstack-protector-strong -Wl,-z,relro"
@@ -92,6 +95,23 @@ SECURITY_CFLAGS_pn-zlib = "${SECURITY_NO_PIE_CFLAGS}"
92	SECURITY_CFLAGS_pn-ltp = "${SECURITY_NO_PIE_CFLAGS}"	95	SECURITY_CFLAGS_pn-ltp = "${SECURITY_NO_PIE_CFLAGS}"
93	SECURITY_CFLAGS_pn-pulseaudio = "${SECURITY_NO_PIE_CFLAGS}"	96	SECURITY_CFLAGS_pn-pulseaudio = "${SECURITY_NO_PIE_CFLAGS}"
94		97
		98	# Recipes which fail to compile when elevating -Wformat-security to an error
		99	SECURITY_STRINGFORMAT_pn-busybox = ""
		100	SECURITY_STRINGFORMAT_pn-console-tools = ""
		101	SECURITY_STRINGFORMAT_pn-cmake = ""
		102	SECURITY_STRINGFORMAT_pn-expect = ""
		103	SECURITY_STRINGFORMAT_pn-gcc = ""
		104	SECURITY_STRINGFORMAT_pn-gettext = ""
		105	SECURITY_STRINGFORMAT_pn-kexec-tools = ""
		106	SECURITY_STRINGFORMAT_pn-leafpad = ""
		107	SECURITY_STRINGFORMAT_pn-libuser = ""
		108	SECURITY_STRINGFORMAT_pn-ltp = ""
		109	SECURITY_STRINGFORMAT_pn-makedevs = ""
		110	SECURITY_STRINGFORMAT_pn-oh-puzzles = ""
		111	SECURITY_STRINGFORMAT_pn-stat = ""
		112	SECURITY_STRINGFORMAT_pn-unzip = ""
		113	SECURITY_STRINGFORMAT_pn-zip = ""
		114
95	TARGET_CFLAGS_append_class-target = " ${SECURITY_CFLAGS}"	115	TARGET_CFLAGS_append_class-target = " ${SECURITY_CFLAGS}"
96	TARGET_LDFLAGS_append_class-target = " ${SECURITY_LDFLAGS}"	116	TARGET_LDFLAGS_append_class-target = " ${SECURITY_LDFLAGS}"
97		117